StarMade 0.09473: Security Fix

schema · Nov 14, 2013

Hello players,

I have to release a new version now, as there is a security leak on older version that can be exploited.

Security

Note that passwords were never in danger (as they were never sent to anything besides star-made.org), it was only possible to reset the password on ones account. This has also already been fixed as you now require an old password to change your current, and you need an email confirmation to change your email. To reset your password (if you really have forgotten it), you have to be logged out. A "request new password" link will appear under the login block.

The breach was possible due to session hijacking. Fortunately no damage was done, and it has been fixed 100%.

Since there is no point in security through obfuscation, this is how it works:

1. client logs into star-made.org
2. clients creates a code and sets it on his account (only possible when logged in)
3. client logs into server and supplies the code he set
4. server can request the current code for a client (but nothing else)
5. if code is the server is requested is the same as the client supplied, the client is who he says he is.
6. after logging in the client resets the code, so it's basically one time use only

This system will be replaced with a faster token system when the new website is ready.

Structure Tab

Please not that this is still work in progress, so it's not complete yet, and there might be bugs.

Thank you for playing StarMade,

- schema

aceface · Nov 14, 2013

I\'d like to see those npcs give out randomly generated missions - would be very fun!

therimmer96 · Nov 14, 2013

Why can I not download this in the launcher? It says I am running the latest version

Draren Thiralas · Nov 14, 2013

Will you still tell us about the new stuff tomorrow? I played the pre-build, but i saw nothing unusual.

therimmer96 · Nov 14, 2013

Is this update actually coming out? It has been 2 hours. Please dont tease me on something I really want!

warezit · Nov 14, 2013

Just tried to run this update, which was released a little over 2 hours ago, and the console for my servers, say they are running the latest version already.

\"version 20131111_192915\"

Is this update not acctually pushed out to the public yet?

warezit · Nov 14, 2013

I can see the new build now, as of approx. 2 mins ago.

inchrist · Nov 14, 2013

i can uplink acount and can not play

Fum · Nov 14, 2013

I am a little concerned these tokens will be exploited. The Minecraft name stealing hack was done by making a player connect to hacker\'s server X, which then as soon as the client authenticated with a unique single-use token, took that token and with this token attempted to login to normal server Y.
Basically, if a player connects to a malicious server, the server owner can steal and use the token on normal severs pretending to be the player. I do not know how Minecraft solved it, but from your description the same is now possible in Star Made.

gravypod · Nov 14, 2013

If as a server owner I get the code, can I spoof being anyone who connects to my server? You should look into a public/private key setup like BTC has if that is the case

schema · Nov 14, 2013

This is not possible on star-made, as the token doesn\'t get reset by the server, but the client. Even if the server doesn\'t use the token, the client will invalidate it after he logged in (or failed to log in), making that token useless to use for anyone else

schema · Nov 14, 2013

This is not possible on star-made, as the token doesn\'t get reset by the server, but the client. Even if the server doesn\'t use the token, the client will invalidate it after he logged in (or failed to log in), making that token useless to use for anyone else.

but this is only a temporary solution anyway until the new site gives me a lot more options to implement a 100% safe way

therimmer96 · Nov 14, 2013

I understand it is not done yet, but i must say I was expecting the ability to control more than doors and AI. I was hoping for light groupings mainly that can be turned off. Still brilliant. Just not very user friendly for bigger ships yet

TheUltimateWigga · Nov 14, 2013

I Uplinked. But however it\'s not letting me play at all. What should I do?

schema · Nov 14, 2013

there might be an issue with not yet updated servers doing auth before version check right now, not leting you in. You should be able to joing play.star-made.org:4242

Konkurrent · Nov 14, 2013

Please Fix the Nullpointexception with the Admintool.

therimmer96 · Nov 14, 2013

Salvaging just wont work for us anymore. We see the beams, but no salvaging

zkullz · Nov 15, 2013

My universe was reset after this update on my single player...

Snapems · Nov 15, 2013

I can\'t aim turrets when piloting them in this ver. Well, you can \'aim\' them (within the direction they\'re pointing), but they don\'t move.

KantagaXD · Nov 15, 2013

add a search bar on the site

Search

StarMade 0.09473: Security Fix

schema

Cat God

aceface

therimmer96

The Cake Network Staff Senior button unpusher

Draren Thiralas

therimmer96

The Cake Network Staff Senior button unpusher

warezit

warezit

inchrist

Fum

gravypod

schema

Cat God

schema

Cat God

therimmer96

The Cake Network Staff Senior button unpusher

TheUltimateWigga

schema

Cat God

Konkurrent

therimmer96

The Cake Network Staff Senior button unpusher

zkullz

Snapems

KantagaXD